cant get access from outside to webpage
-
@pooperman said in cant get access from outside to webpage:
anschreikurse.duckdns.org
Those URLs are going to resolve to the external IP of the ISP router. Unless that has some sort of NAT reflection it will never hit HAProxy when you test from there.
Try testing from a different public IP so the ISP router forwards it to HAProxy.
Steve
-
ISP router just has port forward on 80 and 443 to 192.168.1.120 (wan of pfSense). nothing else is configured there.
Anyhow, also tried with phone over cell network( vpn deactivated ;-) ), same resultI still think, that something in the pfsense settings is not correct.
below NAT table
looks good to me, there should nothing interupt the traffic related to my issue
-
Ok, it looks like the firewall rules on WAN allowing access to HASProxy are disabled. Is that still the case?
Of so, enable them and enabled logging on those rules so you can see when connections are coming in. Then retest via the phone and make sure you see passed traffic from the phone IP in the firewall log?
Steve
-
@stephenw10 said in cant get access from outside to webpage:
Ok, it looks like the firewall rules on WAN allowing access to HASProxy are disabled. Is that still the case?
Of so, enable them and enabled logging on those rules so you can see when connections are coming in. Then retest via the phone and make sure you see passed traffic from the phone IP in the firewall log?
Steve
when I took the screenshot I moved back to have the initial state. During testing rules were on and openVPN off.
Give me a few minutes, will set it up and show the log files.
-
Rules are enabled
that is the page from LAN view
that is the log
I know there is a different view for logs, which can be copied, but i cant find it.
-
If you enable logging on those pass rules on those pass rules then traffic that is matched and passed will be shown in the firewall log.
However you can see from the state counters there that nothing had been passed by them when that screenshot was taken.
It looks like no traffic is arriving on the WAN for ports 80 or 443. Check the ISP router is actually passing it.
Steve
-
@stephenw10
i am very sure it is not related to ISP router, as port 443 for openvpn never had any issues.however, i put it into DMZ mode, so there is absolutely nothing what might block it.
still no sucess.
-
@stephenw10
when I use anschreikurse.duckdns.org from phone I get a warning for certificate is untrusted. I checked the cert and it is the root CA from pfSense.If I click yes continue unsafe, it shows me loginpage of pfsense.
So that shows me, isp router is working fine and dns resulution is also working
-
I assume that screenshot was taken before you had tested that then as there are no connections shown.
Ok, you will need to change the port the pfSense GUI is listening on in Sys > Adv > Admin Access. You cannot have nginx and HAProxy both listening on 443.
HAProxy will logged that. It would have failed to start the frontend on 443.Steve
-
@stephenw10
good point!i havent seen any notification but yes makes sense. so pfsense login is now on different port.
I came to the setting nat reflection mode for port forwards under admin advanced
it is set to disabled. is that correct?
-
That's the default setting. You do not need NAT reflection here at all, HAProxy proxies the traffic is does not forward it.
Steve
-
-
With the correct certificate?
-
I think so
cert is for anschreikurse.duckdns.orghaproxy frontend is also for anschreikurse.duckdns.org
backend is nc.anschreikurse.duckdns.org -
